North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Let's talk about Distance Sniffing/Remote Visibility

  • From: Richard A Steenbergen
  • Date: Thu Mar 28 12:22:02 2002

On Thu, Mar 28, 2002 at 09:23:41AM -0600, [email protected] wrote:
> Yeah, the device I've got in my head is a 1U server with 4 (or more?)
> interfaces... not so much to simultaneously pull 400Mbps of bandwidth
> for analysis but rather to just have a interface going to each switch I
> might want to monitor and then span traffic to the Ethereal box. Given
> that I'm trying to attain remote visibility, it might be nice not to
> need remote hands to be swapping patch cords back and forth.
> I'm imagining that even with a relatively speedy box, if you were trying
> to do analysis from multiple interfaces you'd at least choke the disk
> I/O. There's always stringent filters, I guess.

Disk I/O on a sniffer box? Sounds like you've been sniffing something 
other than packets my friend. :)

You can build your own box like that easily enough. If you're going for
FastE sniffing I highly recommend the Adaptec Quartet 4-port cards. If
you're going for GigE sniffing, I STILL highly recommend anything Alteon
Tigon 2 based (NetGear GA620's were the cheapest if you can still find
them, not the 621/622).

I've had great luck making the Tigon 2's into dedicated sniffers. You
don't even have to do anything fancy with the card firmware, there is a
native command for receiving only part of the frame. Check out the
programming manuals at, and I
recommend you use FreeBSD for this of course. Just add in a PARTIAL_RX_CNT
command, and the card will only DMA part of the packet (say 64 bytes for
full headers) across the PCI bus. Combined with interrupt coalescing (or
luigi's device polling and tuning the card to allocate all memory to RX
and remove the TX functionality completely), you can sniff quite a few
"gigabits" of traffic on a single cheap PC server. You can dump it through
the BPF mechanism and still maintain support for all your favorite sniffer
programs. Or if you're comfortable writing kernel code, I recommend you
make a character device for sniffer device control, and use it to pass
page-aligned malloc'd memory pointers from userland into the nic driver,
which you then pass to the card as the RX ring buffers. This will let you
DMA your packets directly into userland. If not, at least unhook
ether_input(). :)

Or you can buy these things commercially. My favorite was from a company
called Tekelec, who sold a VERY expensive box which turned out to be a
pentium 200ish box running solaris x86 and completely useless sniffing
software, with a bunch of ISA ethernet cards hooked up by proprietary (and
VERY expensive) cables, all in a box made out of what I swear was some
kind of lead/neutron star material alloy. Of course that was a couple
years ago, maybe they've upgraded to the current market's $50 processor.  

Richard A Steenbergen <[email protected]>
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)